Upstream has issued an advisory today (December 19): https://www.samba.org/samba/security/CVE-2016-2125.html Freeze push requested for Cauldron (fixed in 4.5.3). Patch checked into Mageia 5 SVN.
Debian has issued an advisory for this today (December 19): https://www.debian.org/security/2016/dsa-3740 Advisory saved for later below. Advisory: ======================== Updated samba packages fix security vulnerability: Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service (CVE-2016-2125). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125 https://www.samba.org/samba/security/CVE-2016-2125.html ======================== Updated packages in core/updates_testing: ======================== samba-server-3.6.25-2.6.mga5 samba-client-3.6.25-2.6.mga5 samba-common-3.6.25-2.6.mga5 samba-doc-3.6.25-2.6.mga5 samba-swat-3.6.25-2.6.mga5 samba-winbind-3.6.25-2.6.mga5 nss_wins-3.6.25-2.6.mga5 libsmbclient0-3.6.25-2.6.mga5 libsmbclient0-devel-3.6.25-2.6.mga5 libsmbclient0-static-devel-3.6.25-2.6.mga5 libnetapi0-3.6.25-2.6.mga5 libnetapi-devel-3.6.25-2.6.mga5 libsmbsharemodes0-3.6.25-2.6.mga5 libsmbsharemodes-devel-3.6.25-2.6.mga5 libwbclient0-3.6.25-2.6.mga5 libwbclient-devel-3.6.25-2.6.mga5 samba-virusfilter-clamav-3.6.25-2.6.mga5 samba-virusfilter-fsecure-3.6.25-2.6.mga5 samba-virusfilter-sophos-3.6.25-2.6.mga5 samba-domainjoin-gui-3.6.25-2.6.mga5 from samba-3.6.25-2.6.mga5.src.rpm
Patched package uploaded for Mageia 5. Advisory and package list in Comment 1.
URL: (none) => https://lwn.net/Vulnerabilities/709661/Assignee: bugsquad => qa-bugs
ok I installed the following The following 36 packages are going to be installed: - clamav-0.99.2-1.mga5.x86_64 - clamav-db-0.99.2-1.mga5.noarch - clamd-0.99.2-1.mga5.x86_64 - lib64audit-devel-2.4.4-1.mga5.x86_64 - lib64cap-devel-2.24-3.mga5.x86_64 - lib64clamav7-0.99.2-1.mga5.x86_64 - lib64ext2fs-devel-1.42.12-5.mga5.x86_64 - lib64krb53-devel-1.12.5-1.1.mga5.x86_64 - lib64ldap2.4_2-devel-2.4.40-3.1.mga5.x86_64 - lib64netapi0-3.6.25-2.6.mga5.x86_64 - lib64openssl-devel-1.0.2j-1.mga5.x86_64 - lib64pam-devel-1.1.8-10.1.mga5.x86_64 - lib64sasl2-devel-2.1.26-10.mga5.x86_64 - lib64smbclient0-3.6.25-2.6.mga5.x86_64 - lib64smbclient0-devel-3.6.25-2.6.mga5.x86_64 - lib64smbsharemodes-devel-3.6.25-2.6.mga5.x86_64 - lib64talloc-devel-2.1.5-1.mga5.x86_64 - lib64tdb-devel-1.3.8-1.mga5.x86_64 - lib64tevent-devel-0.9.28-1.mga5.x86_64 - lib64verto-devel-0.2.6-3.mga5.x86_64 - lib64wbclient-devel-3.6.25-2.6.mga5.x86_64 - lib64wrap-devel-7.6-46.mga5.x86_64 - perl-Authen-SASL-2.160.0-5.mga5.noarch - perl-Convert-ASN1-0.270.0-3.mga5.noarch - perl-Digest-HMAC-1.30.0-6.mga5.noarch - perl-Digest-SHA1-2.130.0-15.mga5.x86_64 - perl-ldap-0.620.0-3.mga5.noarch - samba-client-3.6.25-2.6.mga5.x86_64 - samba-common-3.6.25-2.6.mga5.x86_64 - samba-doc-3.6.25-2.6.mga5.noarch - samba-domainjoin-gui-3.6.25-2.6.mga5.x86_64 - samba-server-3.6.25-2.6.mga5.x86_64 - samba-virusfilter-clamav-3.6.25-2.6.mga5.x86_64 - samba-virusfilter-fsecure-3.6.25-2.6.mga5.x86_64 - samba-virusfilter-sophos-3.6.25-2.6.mga5.x86_64 - samba-winbind-3.6.25-2.6.mga5.x86_64 201MB of additional disk space will be used. 136MB of packages will be retrieved. Is it ok to continue? Set up the Samba Server https://doc.mageia.org/mcc/3/en/content/draksambashare.html. Also enabled SMB through shorewall. I was able to map and load files from Windows 10 machine to Samba server and retrieve them back. Seems to work to me. Granted, I have not tested ldap or several other pieces yet. Samba Server works though.
CC: (none) => brtians1
That's sufficient for our purposes Brian, well done. Don't forget to add the OK. Advanced uses are beyond our remit, unless we have invested participants. ie. People who use it and willing to test it.
HI Claire - thanks. I wanted to test the client as well Finally did - 32 bit client The following 3 packages are going to be installed: - libsmbclient0-3.6.25-2.6.mga5.i586 - libwbclient0-3.6.25-2.6.mga5.i586 - samba-client-3.6.25-2.6.mga5.i586 76B of disk space will be freed. 4.9MB of packages will be retrieved. I wasn't able to utilize the GUI for mounting but used the command below mount -t cifs //<ip>/<sharename> /<local folder name> Once I did that properly the Samba client worked fine. 90% sure it is how I had the server configured.
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK
Thank you for your good & prompt work, Brian. Validating, advisory from Comment 1 uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0431.html
Status: NEW => RESOLVEDResolution: (none) => FIXED